MONGODB-CR is a challenge-response mechanism that authenticates users
through passwords. MONGODB-CR verifies supplied user credentials against
the user’s name, password and authenticationdatabase. The authentication database is the database where the
user was created, and the user’s database and the user’s name together serve to
identify the user.

After you upgrade a deployment that already has MongoDB Challenge
and Response (MONGODB-CR) user credentials, if you have not
upgraded the authentication schema, you can continue to use
MONGODB-CR:

For older versions of drivers that do not support MongoDB 3.0+
features, you will continue to use MONGODB-CR.

For drivers that support MongoDB 3.0+ features (see
Driver Compatibility Changes), you can explicitly specify
MONGODB-CR as the authentication mechanism to use MONGODB-CR.
Otherwise, the credentials are temporarily converted to use SCRAM
during authentication to provide improved protection from passive
eavesdroppers; this temporary conversion does not affect how the
credentials are stored.